fix(GHA): harden deploy workflows with env vars and explicit secrets (#66138)

2026-05-28 18:26:54 +00:00 · 2026-03-01 09:47:18 +05:30
parent 5f3bb979cb
commit 59ab2e4103
3 changed files with 21 additions and 7 deletions
@@ -33,12 +33,15 @@ jobs:
    steps:
      - name: Setup
        id: setup
+        env:
+          BRANCH: ${{ github.ref_name }}
+          SHOW_UPCOMING_CHANGES: ${{ inputs.show_upcoming_changes }}
+          API_LOG_LVL: ${{ inputs.api_log_lvl || 'info' }}
        run: |
-          BRANCH="${{ github.ref_name }}"
          echo "Current branch: $BRANCH"

          # Convert boolean input to string 'true' or 'false'
-          if [[ "${{ inputs.show_upcoming_changes }}" == "true" ]]; then
+          if [[ "$SHOW_UPCOMING_CHANGES" == "true" ]]; then
            echo "show_upcoming_changes=true" >> $GITHUB_OUTPUT
          else
            echo "show_upcoming_changes=false" >> $GITHUB_OUTPUT
@@ -49,13 +52,13 @@ jobs:
              echo "site_tld=org" >> $GITHUB_OUTPUT
              echo "tgt_env_short=prd" >> $GITHUB_OUTPUT
              echo "tgt_env_long=production" >> $GITHUB_OUTPUT
-              echo "api_log_lvl=${{ inputs.api_log_lvl || 'info' }}" >> $GITHUB_OUTPUT
+              echo "api_log_lvl=$API_LOG_LVL" >> $GITHUB_OUTPUT
              ;;
            *)
              echo "site_tld=dev" >> $GITHUB_OUTPUT
              echo "tgt_env_short=stg" >> $GITHUB_OUTPUT
              echo "tgt_env_long=staging" >> $GITHUB_OUTPUT
-              echo "api_log_lvl=${{ inputs.api_log_lvl || 'info' }}" >> $GITHUB_OUTPUT
+              echo "api_log_lvl=$API_LOG_LVL" >> $GITHUB_OUTPUT
              ;;
          esac

@@ -67,7 +70,9 @@ jobs:
      site_tld: ${{ needs.setup-jobs.outputs.site_tld }}
      app: api
      show_upcoming_changes: ${{ needs.setup-jobs.outputs.show_upcoming_changes }}
-    secrets: inherit
+    secrets:
+      DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      DOCR_NAME: ${{ secrets.DOCR_NAME }}

  deploy:
    name: Deploy to Docker Swarm -- ${{ needs.setup-jobs.outputs.tgt_env_short }}
@@ -41,12 +41,14 @@ jobs:
    steps:
      - name: Setup
        id: setup
+        env:
+          BRANCH: ${{ github.ref_name }}
+          SHOW_UPCOMING_CHANGES: ${{ inputs.show_upcoming_changes }}
        run: |
-          BRANCH="${{ github.ref_name }}"
          echo "Current branch: $BRANCH"

          # Convert boolean input to string 'true' or 'false'
-          if [[ "${{ inputs.show_upcoming_changes }}" == "true" ]]; then
+          if [[ "$SHOW_UPCOMING_CHANGES" == "true" ]]; then
            echo "show_upcoming_changes=true" >> $GITHUB_OUTPUT
          else
            echo "show_upcoming_changes=false" >> $GITHUB_OUTPUT
@@ -36,6 +36,13 @@ on:
        type: string
        description: 'Input: Show upcoming changes flag (true/false)'
        default: 'false'
+    secrets:
+      DIGITALOCEAN_ACCESS_TOKEN:
+        required: true
+        description: 'DigitalOcean API token for registry authentication'
+      DOCR_NAME:
+        required: true
+        description: 'DigitalOcean Container Registry name'
    outputs:
      tagname:
        description: 'Output: The tagname for the image built'